Legato Security Scales Up with Intezer Autonomous SOC

SOC analysts doing manual analysis couldn’t keep up with a growing alert volume – here’s how this MSSP scaled up by automating incident response processes.

Legato Security provides their clients with comprehensive cybersecurity expertise, designed to provide 24/7 monitoring and immediate response to threats.

Legato Security’s Goals

  • Automatically collect evidence (files, URLs, etc.) and investigate
    new incidents coming from different clients.
  • Maintain privacy for clients and potentially sensitive data during
    incident response investigations.

The Challenge: Deeply Investigating Many Alerts for Many Clients

Jesse Stoltz, the SOC manager for Legato Security, leads a team of 20 cybersecurity professionals who provide 24/7 monitoring and alerting services for a multitude of clients.

As an MSSP, more clients means more alerts. With a growing company and client base for Legato Security, Jesse and his SOC team needed to find an automated solution for investigating incidents from even more incoming alerts.

Manually collecting and uploading evidence to a traditional sandbox wasn’t efficient, taking up too much time given all the suspicious files and URLs produced from their alerts. Some tools that could have helped them with analysis didn’t give them the privacy they needed for their files or memory dumps, as they needed to avoid sharing private client data.

While researching different options, they found Intezer and started by trying out the free version’s features for file and URL analysis. Soon they realized Intezer’s potential to automate even more of their incident response processes, giving them bandwidth to take on more clients.

We have a large volume of alerts produced every day and manually performing analysis on all of these threats is not scalable.

Intezer has given us the ability to provide in-depth reporting in a timely manner. Moreover, having a private instance for us to upload potentially sensitive data was a “must have.”

Jesse Stoltz, SOC Manager at Legato Security

SOC manager at MSSP legato security

The Autonomous SOC Solution for Investigating Incidents

When Jesse’s SOC team began using Intezer, they realized they could get a suite of powerful tools for automating incident response processes. By integrating directly with their endpoint security platform, CrowdStrike, Intezer could autonomously collect evidence and investigate incidents for them. Intezer would handle Tier 1 SOC tasks like monitoring alerts, triaging false positives, investigating fileless malware, and more.

The implementation process for his team was incredibly smooth according to Jesse, with responsive and helpful support from Intezer along the way. His team found Intezer fit right into their processes as a “plug and play” solution to connect with CrowdStrike, without needing much maintenance or overhead from the team.

Now, the SOC analysts on Jesse’s team are using Intezer constantly – “all day, every day,” he says. In addition, they’re able to leverage the IOCs (indicators of compromise) extracted by Intezer to enable their detection engineering and develop higher-fidelity alerts.

Over one 3 month period, Intezer performed 932 “scans” to investigate incidents for Legato Security’s team. Those scans included artifacts Intezer collected automatically from CrowdStrike alerts, as well as any files the team uploaded for on-demand analysis. From all those scans, Intezer extracted and analyzed 10,228 unique artifacts (such as files and URLs).

Ultimately Intezer was able to detect 25 distinct threat clusters by correlating all the malicious code analyzed, enabling Legato’s analysts to put more focus on those threats.

932

Scans performed by Intezer for incident response

10,228

Unique pieces of evidence (such as files, URLs, or memory dumps) extracted and analyzed by Intezer

25

Threat clusters detected by Intezer’s investigations for Legato Security

These numbers are a sample of Intezer’s analysis conducted over a period of 3 months.

Faster Time to Respond in a Ransomware Incident

In one instance, the team got a potential ransomware detection which Intezer confirmed as likely ransomware activity. While responding to the incident, they also leveraged Intezer’s endpoint scanning features to gather and report on additional memory forensic evidence. Based on the fast additional information from Intezer’s deep analysis and forensics, the SOC team was able to respond to the event more quickly.

Expanding Incident Response Automation with Intezer 

Since onboarding with Intezer, Jesse and his team have benefited from ongoing improvements and new features that allow them to do much more, with fewer tools. They’re exploring even more use cases with Intezer’s API.

Jesse is looking forward to leveraging Intezer’s Detect & Hunt features more over time. Detect & Hunt gives them out-of-the-box detection content to generate effective hunting rules with high accuracy and low false-positive rates. With Intezer, he’s expecting they’ll be able to start automatically hunting for threats in their environments. It also enables them to create detections targeting threat actors and malware families, proactively hunting emerging threats or top threat clusters Intezer identifies – something that’s a game changer.

Want to know more?

Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt